A few days ago, the Ruby core team has announced several newly discovered security vulnerabilities. Ruby versions prior to 1.8.6-p285 and 1.8.7-p70 are vulnerable. The previous version of Ruby Enterprise Edition is also vulnerable because it’s based on 1.8.6-p114.

Earlier Ruby releases had some crash bugs and incompatibility problems. It goes without saying that such problems are unacceptable in production environments, so we’ve been careful and took the time to test 1.8.6-p286 against various test suites:

We tested it against the Ruby on Rails test suite (edge). All tests passed.

We tested it against the RubySpec test suite (git HEAD from yesterday). All tests passed. In fact, Ruby 1.8.6-p114 fails a few tests, so p286 is more Ruby-compliant.

We tested it against the test suite of various of our internal applications. All tests passed.

So our conclusion is that Ruby 1.8.6-p286 is indeed stable and compatible. Kudos to the Ruby core developers for this excellent release!

We’ve prepared a new Ruby Enterprise Edition release, based on Ruby 1.8.6-p286. The official Ruby on Rails wiki has been running on this Ruby Enterprise Edition version since yesterday (in addition to Phusion Passenger git HEAD), and everything seems to be rock-solid so far.

This Ruby Enterprise Edition release not only includes upstream Ruby’s security vulnerability fixes and other bug fixes, but also some Ruby Enterprise Edition-specific improvements and fixes:

MySQL headers are autodetected

Many people have problems installing the MySQL gem, especially on non-Linux platforms. That’s because the gem cannot find the MySQL development headers. The Ruby Enterprise Edition installer now autodetects the MySQL headers, for much better MySQL gem installation success rate.

Bug fix: don’t overwrite shebang lines for non-Ruby scripts

Normally, the installer changes the shebang lines of all scripts in $PREFIX/bin to the correct location of the Ruby Enterprise Edition binary. ($PREFIX is the location that one installs Ruby Enterprise Edition to) However, this would change all shebang lines, even for non-Ruby scripts. This has been fixed: only the shebang lines of Ruby scripts will now be changed.

sqlite3-ruby gem permissions fixed

The sqlite3-ruby gem installed itself with the wrong permissions. Its files would be world-writable by default. The installer now fixes this problem.

‘PassengerRuby’ instead of ‘RailsRuby’

The installer used to instruct the user to change the ‘RailsRuby’ option for Phusion Passenger. ‘RailsRuby’ has been deprecated since Phusion Passenger 2.0 in favor of ‘PassengerRuby’, so the installer now instructs the user to change ‘PassengerRuby’ instead.

Upgrade instructions

Via the source tarball

Please download the source tarball from the download page and run the built in installer, as instructed on the download page. To upgrade, please install Ruby Enterprise Edition to the same location that you specified last time.
(Note that RubyForge is still propagating the files through their file servers. It can take a while before the download link works.)

Via the Debian package

Please install the Debian package by downloading it from the download page. (click on the “Linux” tab)

Is this supposed to copy over all my existing gems? If not, I think that would be a useful feature. To reiterate, have the installer copy over (optionally) all my existing gems and re-install them as part of the installation script.

“Phusion” and “Phusion Passenger” are registered trademarks of Phusion. “Rails”, “Ruby on Rails” and the Rails logo are registered trademarks of David Heinemeier Hansson. All other trademarks are property of their respective owners.